Setting Custom Firewall Rules for Containers

The firewall settings of each instance at Jelastic are managed in a general way at the infrastructure level, so they are stated equal for all of the containers at once. However, sometimes it can be necessity to define custom rules for a particular container’s firewall, e.g. with an aim to restrict access to it from a particular IP address (and, in such a way, to avoid the undesired or threatening establishment of connections) or, to allow it to be reached by nodes in other environments.

Such settings are to be declared in the special iptables-custom file, located within the /etc/sysconfig container’s directory. After being applied by restarting the firewall, they are written to the dedicated system file, which is automatically read during each container startup, so the custom rules are automatically handled alongside the standard ones.

Adjust Your Firewall

In order to set your custom firewall rules, you should establish the SSH connection to the required node first.

Tip: In case you haven’t performed similar operations before, you need to:

1.Once you’ve entered the required container, you can check its configurations and ensure that the containers’ firewall is actually enabled. For that, access the /etc/jelastic/metainf.conf file and find the FIREWALL_ENABLED parameter:

cat /etc/jelastic/metainf.conf

If it exists and is equal “1”, then you can proceed with editing the dedicated iptables-custom file inside the /etc/sysconfig folder:

vim /etc/sysconfig/iptables-custom

Note: In case the above mentioned parameter is missed or stands in “0”, you need to contact your hosting provider’s technical support and request the enabling of firewall protection for your account first. After that, you’ll get the ability to manage firewall rules for any of your newly created containers.

2.Within the opened file, you are able to declare your own firewall rules using the iptables-save tool format. As an example, we’ll add one, that will drop the connections from the 111.111.111.111 IP address, while defining it at the top of the list will give this rule the highest priority:*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [0:0]-I INPUT -s 111.111.111.111 -p tcp -m state –state NEW -m tcp –dport 1111 -j DROPCOMMIT#

Note: While customization, please take into consideration the following points:

do not change or override the default firewall rules, as this can break the SSH connection to the container and cause other problems with its accessibility for the platform’s orchestrator

your custom settings should be appended before the defaults, as the last “0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited” default rule drops all the incoming connections (so any configs, specified after it, will never be reached)

Don’t forget to save your changes (e.g. with the :wq command, in case of the vim editor usage).

3. Now, you need to apply the newly defined settings through executing the next command, so the firewall will be run with the custom rules automatically added to the common ones:

sudo /usr/bin/jem firewall fwstart

In a couple of seconds you’ll see a string with the operation result.

4. To check whether your changes were successfully applied and to see the current iptables’ rules in general, use the corresponding list instruction, for example:

sudo /usr/bin/jem firewall list filter -vn

Tip: This command can be also used to explore the nat or mangle settings, i.e. the tables of packets’ remapping or alteration correspondingly:

As you can see, the rule we’ve added as an example is now applied, whilst its location at the first position of the table meaning it has top priority. In such a way, you are able to configure the firewall rules for your containers, based on your requirements at any time you need this.